How to Deal With the Cyber Kill Chain

How to Deal With the Cyber Kill Chain

Many cyber-security teams have turned to a well-understood military concept, the kill chain, which details how adversaries structure their attacks.

Reconnaissance: Gather information to enable attacks on assets

Monitor threat intelligence on known actors when communications indicate possible recon attempts from those acting against your assets.
Set alerts and immediately act on any stolen credentials, personally identifiable information and confidential company information that becomes available on the internet.

Monitor and gain visibility into actor-based threat intelligence feeds that provide insight into Trusted Third Parties and malware Indicators of Compromise that may target your business or assets.
Capture and analyze any network traffic payloads for malware indicators.

Ensure all ingress and egress network connections have inline inspection based on signature and non-signature mechanisms, including within encrypted payloads.
Ensure inline inspection has full Layer 7 inspection, not just network layer.

Installation: Installing malware on the asset

Deploy an endpoint protection system (EPS) to provide inspection of all pre-installation of applications.
Connect the EPS to a threat intelligence system with up-to-date malware hash information.

Command and Control (C2): Command channel for remote manipulation

Gather and monitor threat intelligence feeds that identify all known C2 servers worldwide.
Use your threat intelligence platform to select and prioritize which systems to protect.
Connect the threat intelligence to your threat mitigation gateways to automate protection against C2 communications.
Ensure investigation and analysis of internal lateral movement of communications after infection so that other infected hosts are found.

In the quest to stay ahead of cyber-threats, many cyber-security teams have turned to a well-understood military concept, the kill chain, which details how adversaries structure their attacks. They are working to implement their own defenses in order to anticipate and react to where the attacks are coming from. But Chris Coleman, CEO of LookingGlass, said that most common security architectures do not address the complete concept of the cyber kill chain and instead just defend their organization's perimeter. "Organizations are faced with threats that are continuously evolving to avoid detection before and after their targets are exploited. Ideally, threats are mitigated early in the cyber kill chain. This avoids the threat actor gaining a foothold within an organization to attack laterally and find higher value assets," said Allan Thomson, CTO of LookingGlass Cyber Solutions, which focuses on addressing threats throughout the life cycle. Below are his tips on how to handle threats during seven stages of the chain: reconnaissance, weaponization, delivery, exploitation, installation, command-and-control, and privileged operations, resource access and exfiltration. The report features Gartner research.

Karen A. Frenkel writes about technology and innovation and lives in New York City.